Creating a VM control file from a forensic image

In general, VM software needs both an image and associated control files.

There are a number of ways to create the VM control files needed to run an image as a VM instance. At present, this article primarily provides a series of tools that can create to VMDK VM control files.

Paladin 4

- Paladin 4 (free) can convert DD and E01 images to VDMK as well.

Live View

Live View (opensource) is reported as not reliable, but it does work with some images.

EnCase

use EnCase (Commercial) to mount the E01 image as an emulated disk (you need to have the Physical Disk Emulator (“PDE”) module installed), then VMware to create virtual machine from the emulated physical disk. Guidance software has a good guide on how to do this in their support portal.

Note – EnCase v7 hasn't been proven to support this, just EnCase 6

VFC - Virtual Forensic Computing

VFC (Commercial) is reportedly very good, but troubles with booting Windows 2003 servers have been reported. It's a little pricey ($1350 for a Corp license) but per one user it WORKS the vast majority of the time and the developer provides excellent support.

Creating a KVM image

From the linux command prompt

kvm -hda myimage.dd

memory can be set as an option, cd drives can be presented, etc., and there is an option equivalent to the VMware non persistent mode.

Warning: It has been determined that using kvm's non-persistent mode can still result in an altered image. Always, always, always work from a copy.

Using the VMDK file

Once you have the VMDK file, you can create a virtual machine in
Virtualbox or VMware Workstation and use the VMDK as an existing hard
disk for the virtual machine. I prefer to use VMware Workstation
because it has a non persistent mode which allows you to write changes
to a cache file rather than the forensic image itself thus maintaining
integrity.